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DETAILED ACTION 

1. Claims 1-30 are pending. 

Continued Examination Under 37 CFR 1.114 

2. A request for continued examination under 37 CFR 1.114, including the fee set forth in 
37 CFR 1 .17(e), was filed in this application after final rejection. Since this application is 
eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) 
has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 
37 CFR 1.114. Applicant's submission filed on December 27, 2007 has been entered. 

Claim Rejections - 35 USC § 101 

35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or 
any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and 
requirements of this title. 

3. Claims 21-30 rejected under 35 U.S.C. 101 because the claimed invention is directed to 
non- statutory subject matter. 

Claims 21-30 are directed to a "computer program product" only, which constitutes 
software and no tangible hardware. Thus, claims are non-statutory since software alone is non- 
statutory. 

Claim Rejections - 35 USC § 103 

The text of those sections of Title 35, U.S. Code not included in this action can be found 
in a prior Office action. 
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4. Claims 1-6, 8, 10-16, 18, 20-26, 28 and 30 are rejected under 35 USC 103(a) as 
unpatentable over Ramsey et al. (U.S. Patent No. 7,331,061), hereafter "Ramsey", in view of 
Douglas et al. (US Pat. No. 6269400), hereafter "Douglas" and further in view of Cass 
("Anatomy of Malice", Spectrum IEEE, Nov. 2001, vol. 35, issue 11, pages: 56-60), hereafter 
"Cass". 

With regard to claims 1, 6, 8, 10, 16, 18, 20, 26, 28 and 30 Ramsey substantially teaches 
a network virus defense system comprising: 

A network virus/worm sensor (Fig. 2, item 250) operable in a number of modes arranged 
to detect a computer virus or a computer worm in the network such that the bandwidth of the 
network is substantially unaffected in a first mode in that data packets are not removed from or 
added to the data stream, but are copied, and wherein when the virus sensor detects the computer 
virus, the virus sensor switches to a second mode, wherein the data packets are not copied and 
wherein a subset of data packets determined to be infected or suspected of being infected are not 
returned to the network, (12:43-56, denies packets, detects and removes viruses, 16:8- 16, shows 
no packets are removed or added, 18: 17-19:34, packets are copied to the anti-virus module, and 
aren't copied to the secure network when found to be infected); 

A controller that is updated with new detection rules, storing a rules engine used to store 
and source a plurality of detection rules for detecting computer viruses and worms using 
statistical results of observed abnormal events as recorded and monitored by a virus monitor; 

the abnormal events defined in policies and the plurality of detection rules in the virus 
monitor; and 
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wherein the virus monitor generates an abnormal behavior report which is evaluated by a 
server which determines an action to perform (12:43-56, 16:8-16, shows no packets are removed 
or added, 18:17-19:34, virus signatures and intrusion detection signatures are statistical results of 
observed abnormal events recorded by the monitors which are defined by rules in the firewall, 
anti-virus module and IDS and the virus monitor generates a report that is assessed by and IDS in 
order to determine whether to drop, reject, deny, etc. the packet). 

Ramsey does not disclose a network virus sensor self registration module coupled to the 
network virus/worm sensor arranged to automatically self register the associated network 
virus/worm sensor. Douglas, on the other hand, discloses a network virus sensor self registration 
module coupled to the network virus/worm sensor (col. 3, lines 28-31, HTTP server reads on self 
registration module) arranged to automatically self register the associated network virus/worm 
sensor (col. 4, lines 65-68). 

It would have been obvious to one of the ordinary skill in the art at the time of the 
applicant's invention was made to modify Ramsey by the methods of self registration coupled to 
the network virus/worm sensor automatically self register the associated network virus/worm 
sensor as taught by Douglas, and would be motivated to conduct automatically discovery and 
registration of available agents on a distributed network because it requires low CPU utilization 
and requires minimal programming of the agents (Douglas, col. 2, lines 38-39). 

Neither Ramsey nor Douglas discloses an anti-virus agent creation module that creates a 
detection module, infection module and payload. However, Cass discloses creating a detection 
module, an infection module and a payload (Section "Source of Mischief ' page 59). 
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It would have been obvious for one of the skill in the art to modify the teachings of 
Ramsey and Douglas to include the creation of a detection module, an infection module and a 
payload as taught by Cass, and would be motivated to provide an effective defense by 
understanding the cause and mechanism of infection (Cass, page 56, paragraph 5, lines 1-3). 

With regard to claims 1 1 and 2 1 , limitations of the instant claims have been discussed in 
claim 1 above with the exception of the following limitation. 

Neither Ramsey nor Douglas discloses creating a detection module that detects whether a 
client device is infected with a virus and triggers the introduction of an anti-virus infection 
module so that the virus in the client device is overwritten and an anti-virus payload created 
based on features of the selected computer virus and perform as cleaning/repairing payload 
capable of cleaning and repairing damage done to the client device. 

Cass, on the other hand, discloses a detection module for detecting whether a client 
device is presently infected with a virus, triggers the introduction of an anti-virus infection 
module so that the virus in a client device is overwritten, wherein an anti-virus agent payload, 
created based on features of the selected computer virus, performs as a cleaning/repairing 
payload capable of cleaning and repairing damage done to the client device, the payload also 
capable of inoculating the client device against the virus in cases where the client device was not 
infected by the computer virus ("Source of Mischief section, page 59). 

It would have been obvious for one of the skill in the art to modify the teachings of 
Ramsey and Douglas to include creating a detection module that detects whether a client device 
is infected with a virus and triggers the introduction of an anti-virus infection module so that the 
virus in the client device is overwritten and an anti-virus payload created based on features of the 
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selected computer virus and perform as cleaning/repairing payload capable of cleaning and 
repairing damage done to the client device as taught by Cass, and would be motivated to provide 
an effective defense by understanding the cause and mechanism of infection (Cass, page 56, 
paragraph 5, lines 1-3). 

With regard to claims 2, 12, and 22, Douglas further discloses the network virus/worm 
self registration module collects selected network environmental information and network 
configuration information (col. 4, lines 61-64, host name and operating system indicate network 
environmental and configuration information). 

It would have been obvious to one of the ordinary skill in the art at the time of the 
applicant's invention was made to modify the teachings of Ramsey and Cass to include self 
registration coupled to the network virus/worm sensor automatically self register the associated 
network virus/worm sensor as taught by Douglas and would be motivated to conduct 
automatically discovery and registration of available agents on a distributed network (Douglas, 
col. 2, lines 38-39). 

With regard to claims 3,13 and 23, Douglas further discloses the selected network 
environmental information includes an IP address for all of the relevant client devices included 
in the IP-based network (col. 3, lines 61-64). It would have been obvious to one of the ordinary 
skill in the art at the time of the applicant's invention was made to modify the teachings of 
Ramsey and Cass by including an IP address for all the relevant client devices included in the 
network, as taught by Douglas, and would be motivated to conduct automatically discovery and 
registration of available agents on a distributed network (Douglas, col. 2, lines 38-39). 
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With regard to claims 4, 14 and 24, Douglas further discloses the network configuration 
information includes self configuration information related to an appropriate IP address for the 
network virus/worm sensor (col. 4, lines 61-64, host name indicates self configuration). 

It would have been obvious to one of the ordinary skill in the art at the time of the 
applicant's invention was made to modify the teachings of Ramsey and Cass to include the 
network configuration information includes self configuration information related to an 
appropriate IP address for the network virus/worm sensor, as taught by Douglas, and would be 
motivated to conduct automatically discovery and registration of available agents on a distributed 
network (Douglas, col. 2, lines 38-39). 

With regard to claims 5, 15 and 25, Douglas further discloses the network configuration 
information includes locations of all relevant server computers (col. 3, lines 60-62, list of IP 
addresses indicates locations of all relevant server computers). 

It would have been obvious to one of the ordinary skill in the art at the time of the 
applicant's invention was made to modify the teachings of Ramsey and Cass to include the 
network configuration information includes locations of all relevant server computers, as taught 
by Douglas, and would be motivated to conduct automatically discovery and registration of 
available agents on a distributed network (Douglas, col. 2, lines 38-39). 
5. Claims 7, 9, 17, 19, 27 and 29 are rejected under 35 USC 103(a) as unpatentable over 
Ramsey in view of Douglas in view of Cass as applied to claims 1,11 and 21 above and further 
in view of White et al. ("Anatomy of a Commercial-Grade Immune System, IBM Research 
White Paper, 1999, 
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http:llwww.research.ibm.comlantivimslSd^ hereafter 
"White. 

With regard to claims 7, 17 and 27, neither Ramsey, Douglas, nor Cass discloses an 
outbreak prevention policy (OPP) distribution and execution engine that provides a set of anti- 
virus policies, protocols, and procedures suitable for use by a system administrator for both 
preventing viral outbreaks and repairing any subsequent damage caused by a viral outbreak. 

White, on the other hand, discloses an outbreak prevention policy (OPP) distribution and 
execution engine (Fig. 3, page 14, Supervisor, Gateways, and admin system indicates OPP 
distribution and execution engine) that provides a set of anti -virus policies (page 13, Cure 
Distribution section, second paragraph, lines 5-8, install the updated virus definition indicates 
antivirus policies), protocols (page 20, Classification section, first paragraph), and procedures 
(page 14, second paragraph, lines 4-12) suitable for use by a system administrator for both 
preventing viral outbreaks and repairing any subsequent damage caused by a viral outbreak 
(page 13, Cure distribution section, first paragraph and second paragraph lines 5-7). 

It would have been obvious to one of the ordinary skill in the art at the time of the 
applicant's invention was made to modify the teachings of Ramsey, Douglas, and Cass to include 
an outbreak prevention policy (OPP) distribution and execution engine that provides a set of anti- 
virus policies, protocols, and procedures suitable for use by a system administrator for both 
preventing viral outbreaks and repairing any subsequent damage caused by a viral outbreak, as 
taught by White and would be motivated to provide an immune system that can find, analyzed, 
and cure previously unknown viruses faster than the viruses themselves can spread (White, page 
2, first paragraph, lines 1-2). 
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With regard to claims 9, 19 and 29, neither Ramsey, Douglas nor Cass discloses each of 
the outbreak prevention policy distribution and execution engines are updated with a set of anti- 
virus policies, a set of anti-virus protocols, and a set of anti-virus procedures. White, on the other 
hand, discloses each of the outbreak prevention policy distribution and execution engines (Fig. 3, 
page 14, Supervisor, Gateways, and admin system indicates OPP distribution and execution 
engine) are updated with set of anti-virus policies (page 13, Cure Distribution section, second 
paragraph, lines 5-8, install the updated virus definition indicates antivirus policies), protocols 
(page 20, Classification section, first paragraph), and procedures (page 14, second paragraph, 
lines 4-12). 

It would have been obvious to one of the ordinary skill in the art at the time of the 
applicant's invention was made to modify the teachings of Ramsey, Douglas, and Cass to include 
each of the outbreak prevention policy distribution and execution engines are updated with a set 
of anti-virus policies, a set of anti-virus protocols, and a set of anti-virus procedures, as taught by 
White and would be motivated to provide an immune system that can find, analyzed, and cure 
previously unknown viruses faster than the viruses themselves can spread (White, page 2, first 
paragraph, lines 1-2). 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to KRISTIN D. SANDOVAL whose telephone number is (571)272- 
7958. The examiner can normally be reached on Monday - Friday, 8:00-5:30. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron can be reached on 571-272-3799. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

Kristin D Sandoval 

Examiner 

Art Unit 2132 

/K. D. S./ 

Examiner, Art Unit 2132 



/Benjamin E Lanier/ 

Primary Examiner, Art Unit 2132 



